refactor: replace pkg_resources with importlib (#1521) #1542
Conversation
XDRAGON2002
force-pushed
the
issue_1521
branch
from
aa4f5d1 to
cbf573a
Compare
| if sys.version_info >= (3, 8): | ||
| from importlib import metadata as importlib_metadata | ||
| else: | ||
| import importlib_metadata |
There was a problem hiding this comment.
Just checking this is not enough, we will actually need to include importlib_metadata dependency for Python less than 3.8 (which is only 3.7 at this point).
You will need to add this line to requirements.txt:
importlib_metadata;python_version<"3.8"
You may ask: but why do all tests pass on Python 3.7 in CI? That's because this package is required by some doc package that we use (sphinx-markdown-tables requires Markdown which in turn requires our importlib_metadata) but the end user might not use docs functionality. And it's better to be explicit about it. Especially because we will most likely remove this workaround at the end of the year when Python 3.7 goes out of support.
There was a problem hiding this comment.
Oh okay, I was actually just going to ask about the 3.7 tests, thanks for the explanation.
Will add importlib to the requirements file as well as rename the commit to adhere to standards.
XDRAGON2002
force-pushed
the
issue_1521
branch
from
0cd9608 to
8c588ba
Compare
.github/workflows/pythonapp.yml
Outdated
| @@ -288,7 +288,7 @@ jobs: | |||
| - name: Install dependencies | |||
| run: | | |||
| python -m pip install --upgrade pip setuptools wheel | |||
| pip install -r requirements.txt -r doc/requirements.txt | |||
| pip install . -r doc/requirements.txt | |||
| - name: Test to check for CVEs for python requirements and HTML report dependencies | |||
There was a problem hiding this comment.
Is there a need to change it? Both does the same right?
There was a problem hiding this comment.
As far as I understand it, we were not installing the current version of cve-bin-tool to be used (hence the . to specify the updated version)
There was a problem hiding this comment.
we were not installing the current version of cve-bin-tool to be used
I didn't get this part. Did you mean current versions of dependencies?
There was a problem hiding this comment.
No, I mean the cve-bin-tool as a whole (instead of pypi we get it from setup.py i.e. the current copy on which the tests are running)
There was a problem hiding this comment.
The old one just installs all required packages for cve-bin-tool but not the tool itself. The new one installs the tool (with all dependencies of course).
This is needed to fix the test, copying my comments from gitter
this is an interesting one, I'm actually not sure how this test worked before because it doesn't install cve-bin-tool explicitly
in .github/workflows/pythonapp.yml replace line 291 with this one
-pip install -r requirements.txt -r doc/requirements.txt
+pip install . -r doc/requirements.txtah, I know why
it's because of the caching that we use. This job workflow has the same cache key as other jobs so when restoring the cache it already had cve-bin-tool installed
in other jobs it is explicitly reinstalled to use the latest commit and in this job we ended up with some old version and never reinstalled the tool
XDRAGON2002
changed the title
Codecov Report
@@ Coverage Diff @@
## main #1542 +/- ##
==========================================
- Coverage 79.18% 79.15% -0.03%
==========================================
Files 281 281
Lines 5548 5555 +7
Branches 905 908 +3
==========================================
+ Hits 4393 4397 +4
Misses 971 971
- Partials 184 187 +3
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report at Codecov.
|
|
The dependency tests failed again, maybe because the requirements.txt and requirements.csv are out of sync? (as stated in the |
Yes, but I'm not sure what to put as a vendor, |
I was looking around for the same, didn't find anything yet. |
|
Usually we put the vendor name as in the CVE database. If they don't exist in the database we put |
XDRAGON2002
force-pushed
the
issue_1521
branch
from
e173876 to
2981fe1
Compare
|
Added dependency in requirements.csv as well, I guess the PR is complete now? |
XDRAGON2002
force-pushed
the
issue_1521
branch
from
2981fe1 to
47eab1f
Compare
|
Rebased to main and resolved all merge conflicts. |
It looks like you did a combination of merges and rebase. For future reference, try squashing commits in your rebase, it is a really powerful tool that allows you to keep commit history clean. You now need to rerun isort on this branch to fix the failing lint check. |
Right, I didn't look into squashing the commits (which I should have done considering I have numerous small commits), should have done that from the start. |
|
Strange, Windows tests failed because "pip" threw an error. I don't know what could have caused this. |
This is indeed strange and I can replicate it outside of this repo. It seems like there is something wrong with setup-python Action with pip caching enabled/pip/GitHub Actions runner or a combination of those. I will file a bug report in the setup-python repo first 🤔
It is 403 from NVD again so just rate limiting I guess. Won't be fixed until we fix passing NVD API key in CI.
I don't think it would help until the first issue is fixed upstream (Windows tests). |
|
Thanks for pinpointing the issue! |
|
setup-python@v2.3.2 was released that fixes this issue. No changes from us are required because v2 tag was updated to point at the new release. Just rerunning CI should be enough. |
|
Rerun CI, again got NVD rate limited, but all other tests have passed. |
Fixes #1521
Removed occurrences of pkg_resources from cli.py, version_scanner.py and test_checkers.py.